--- /dev/null
+From stable-bounces@linux.kernel.org Sat Feb 17 09:45:44 2007
+From: Stefano Brivio <stefano.brivio@polimi.it>
+Date: Sat, 17 Feb 2007 18:43:14 +0100
+Subject: bcm43xx: fix for 4309
+To: stable@kernel.org
+Cc: John Linville <linville@tuxdriver.com>, Stefano Brivio <stefano.brivio@polimi.it>, Larry Finger <larry.finger@lwfinger.net>
+Message-ID: <200702171843.14872.mb@bu3sch.de>
+Content-Disposition: inline
+
+From: Stefano Brivio <stefano.brivio@polimi.it>
+
+BCM4309 devices aren't working properly as A PHYs aren't supported yet, but
+we probe 802.11a cores anyway. This fixes it, while still allowing for A PHY code
+to be developed in the future.
+
+Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
+Cc: Michael Buesch <mb@bu3sch.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/bcm43xx/bcm43xx_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- linux-2.6.20.1.orig/drivers/net/wireless/bcm43xx/bcm43xx_main.c
++++ linux-2.6.20.1/drivers/net/wireless/bcm43xx/bcm43xx_main.c
+@@ -2736,8 +2736,9 @@ static int bcm43xx_probe_cores(struct bc
+ * dangling pins on the second core. Be careful
+ * and ignore these cores here.
+ */
+- if (bcm->pci_dev->device != 0x4324) {
+- dprintk(KERN_INFO PFX "Ignoring additional 802.11 core.\n");
++ if (1 /*bcm->pci_dev->device != 0x4324*/ ) {
++ /* TODO: A PHY */
++ dprintk(KERN_INFO PFX "Ignoring additional 802.11a core.\n");
+ continue;
+ }
+ }
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Feb 13 18:14:08 2007
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 13 Feb 2007 18:12:38 -0800 (PST)
+Subject: Clear TCP segmentation offload state in ipt_REJECT
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070213.181238.74561510.davem@davemloft.net>
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[NETFILTER]: Clear GSO bits for TCP reset packet
+
+The TCP reset packet is copied from the original. This
+includes all the GSO bits which do not apply to the new
+packet. So we should clear those bits.
+
+Spotted by Patrick McHardy.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/netfilter/ipt_REJECT.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- linux-2.6.20.1.orig/net/ipv4/netfilter/ipt_REJECT.c
++++ linux-2.6.20.1/net/ipv4/netfilter/ipt_REJECT.c
+@@ -79,6 +79,10 @@ static void send_reset(struct sk_buff *o
+ nskb->mark = 0;
+ skb_init_secmark(nskb);
+
++ skb_shinfo(nskb)->gso_size = 0;
++ skb_shinfo(nskb)->gso_segs = 0;
++ skb_shinfo(nskb)->gso_type = 0;
++
+ tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
+
+ /* Swap source and dest */
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Feb 13 18:12:53 2007
+From: David Miller <davem@davemloft.net>
+Date: Tue, 13 Feb 2007 18:11:27 -0800 (PST)
+Subject: Fix atmarp.h for userspace
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070213.181127.39158302.davem@davemloft.net>
+
+
+From: David Miller <davem@davemloft.net>
+
+[ATM]: atmarp.h needs to always include linux/types.h
+
+To provide the __be* types, even for userspace includes.
+
+Reported by Andrew Walrond.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/atmarp.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- linux-2.6.20.1.orig/include/linux/atmarp.h
++++ linux-2.6.20.1/include/linux/atmarp.h
+@@ -6,9 +6,7 @@
+ #ifndef _LINUX_ATMARP_H
+ #define _LINUX_ATMARP_H
+
+-#ifdef __KERNEL__
+ #include <linux/types.h>
+-#endif
+ #include <linux/atmapi.h>
+ #include <linux/atmioc.h>
+
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Feb 13 09:33:02 2007
+From: Douglas Gilbert <dougg@torque.net>
+Date: Tue, 13 Feb 2007 09:31:38 -0800
+Subject: Fix Bug 7994: sleeping function called from invalid context at mm/slab.c:3034
+To: stable@kernel.org
+Cc: Douglas Gilbert <dougg@torque.net>
+Message-ID: <20070213093138.b4fa28c5.akpm@linux-foundation.org>
+
+From: Douglas Gilbert <dougg@torque.net>
+
+ChangeLog:
+ - Use GFP_ATOMIC for allocations that can be called
+ from the queuecommand() entry point
+
+Signed-off-by: Douglas Gilbert <dougg@torque.net>
+Cc: James Bottomley <James.Bottomley@SteelEye.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/scsi_debug.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- linux-2.6.20.1.orig/drivers/scsi/scsi_debug.c
++++ linux-2.6.20.1/drivers/scsi/scsi_debug.c
+@@ -954,7 +954,7 @@ static int resp_inquiry(struct scsi_cmnd
+ int alloc_len, n, ret;
+
+ alloc_len = (cmd[3] << 8) + cmd[4];
+- arr = kzalloc(SDEBUG_MAX_INQ_ARR_SZ, GFP_KERNEL);
++ arr = kzalloc(SDEBUG_MAX_INQ_ARR_SZ, GFP_ATOMIC);
+ if (devip->wlun)
+ pq_pdt = 0x1e; /* present, wlun */
+ else if (scsi_debug_no_lun_0 && (0 == devip->lun))
+@@ -1217,7 +1217,7 @@ static int resp_report_tgtpgs(struct scs
+ alen = ((cmd[6] << 24) + (cmd[7] << 16) + (cmd[8] << 8)
+ + cmd[9]);
+
+- arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_KERNEL);
++ arr = kzalloc(SDEBUG_MAX_TGTPGS_ARR_SZ, GFP_ATOMIC);
+ /*
+ * EVPD page 0x88 states we have two ports, one
+ * real and a fake port with no device connected.
+@@ -2044,7 +2044,7 @@ static struct sdebug_dev_info * devInfoR
+ }
+ }
+ if (NULL == open_devip) { /* try and make a new one */
+- open_devip = kzalloc(sizeof(*open_devip),GFP_KERNEL);
++ open_devip = kzalloc(sizeof(*open_devip),GFP_ATOMIC);
+ if (NULL == open_devip) {
+ printk(KERN_ERR "%s: out of memory at line %d\n",
+ __FUNCTION__, __LINE__);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Feb 13 18:21:10 2007
+From: Jiri Bohac <jbohac@suse.cz>
+Date: Tue, 13 Feb 2007 18:19:47 -0800 (PST)
+Subject: Fix IPX module unload
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070213.181947.28789120.davem@davemloft.net>
+
+From: Jiri Bohac <jbohac@suse.cz>
+
+[IPX]: Fix NULL pointer dereference on ipx unload
+
+Fixes a null pointer dereference when unloading the ipx module.
+
+On initialization of the ipx module, registering certain packet
+types can fail. When this happens, unloading the module later
+dereferences NULL pointers. This patch fixes that. Please apply.
+
+Signed-off-by: Jiri Bohac <jbohac@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipx/af_ipx.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- linux-2.6.20.1.orig/net/ipx/af_ipx.c
++++ linux-2.6.20.1/net/ipx/af_ipx.c
+@@ -2035,19 +2035,27 @@ static void __exit ipx_proto_finito(void
+
+ ipxitf_cleanup();
+
+- unregister_snap_client(pSNAP_datalink);
+- pSNAP_datalink = NULL;
+-
+- unregister_8022_client(p8022_datalink);
+- p8022_datalink = NULL;
++ if (pSNAP_datalink) {
++ unregister_snap_client(pSNAP_datalink);
++ pSNAP_datalink = NULL;
++ }
++
++ if (p8022_datalink) {
++ unregister_8022_client(p8022_datalink);
++ p8022_datalink = NULL;
++ }
+
+ dev_remove_pack(&ipx_8023_packet_type);
+- destroy_8023_client(p8023_datalink);
+- p8023_datalink = NULL;
++ if (p8023_datalink) {
++ destroy_8023_client(p8023_datalink);
++ p8023_datalink = NULL;
++ }
+
+ dev_remove_pack(&ipx_dix_packet_type);
+- destroy_EII_client(pEII_datalink);
+- pEII_datalink = NULL;
++ if (pEII_datalink) {
++ destroy_EII_client(pEII_datalink);
++ pEII_datalink = NULL;
++ }
+
+ proto_unregister(&ipx_proto);
+ sock_unregister(ipx_family_ops.family);
--- /dev/null
+From stable-bounces@linux.kernel.org Tue Feb 13 18:24:16 2007
+From: David Miller <davem@davemloft.net>
+Date: Tue, 13 Feb 2007 18:22:46 -0800 (PST)
+Subject: Fix oops in xfrm_audit_log()
+To: stable@kernel.org
+Cc: bunk@stusta.de
+Message-ID: <20070213.182246.88476061.davem@davemloft.net>
+
+From: David Miller <davem@davemloft.net>
+
+[XFRM]: Fix OOPSes in xfrm_audit_log().
+
+Make sure that this function is called correctly, and
+add BUG() checking to ensure the arguments are sane.
+
+Based upon a patch by Joy Latten.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/key/af_key.c | 11 ++++++-----
+ net/xfrm/xfrm_policy.c | 7 ++++++-
+ net/xfrm/xfrm_user.c | 12 +++++++-----
+ 3 files changed, 19 insertions(+), 11 deletions(-)
+
+--- linux-2.6.20.1.orig/net/key/af_key.c
++++ linux-2.6.20.1/net/key/af_key.c
+@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock *
+ &sel, tmp.security, 1);
+ security_xfrm_policy_free(&tmp);
+
+- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+- AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
+-
+ if (xp == NULL)
+ return -ENOENT;
+
+- err = 0;
++ err = security_xfrm_policy_delete(xp);
+
+- if ((err = security_xfrm_policy_delete(xp)))
++ xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
++ AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
++
++ if (err)
+ goto out;
++
+ c.seq = hdr->sadb_msg_seq;
+ c.pid = hdr->sadb_msg_pid;
+ c.event = XFRM_MSG_DELPOLICY;
+--- linux-2.6.20.1.orig/net/xfrm/xfrm_policy.c
++++ linux-2.6.20.1/net/xfrm/xfrm_policy.c
+@@ -1997,9 +1997,14 @@ void xfrm_audit_log(uid_t auid, u32 sid,
+ if (audit_enabled == 0)
+ return;
+
++ BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
++ type == AUDIT_MAC_IPSEC_DELSA) && !x);
++ BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
++ type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
++
+ audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
+ if (audit_buf == NULL)
+- return;
++ return;
+
+ switch(type) {
+ case AUDIT_MAC_IPSEC_ADDSA:
+--- linux-2.6.20.1.orig/net/xfrm/xfrm_user.c
++++ linux-2.6.20.1/net/xfrm/xfrm_user.c
+@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buf
+ xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
+ security_xfrm_policy_free(&tmp);
+ }
+- if (delete)
+- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+- AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
+-
+ if (xp == NULL)
+ return -ENOENT;
+
+@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buf
+ MSG_DONTWAIT);
+ }
+ } else {
+- if ((err = security_xfrm_policy_delete(xp)) != 0)
++ err = security_xfrm_policy_delete(xp);
++
++ xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
++ AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
++
++ if (err != 0)
+ goto out;
++
+ c.data.byid = p->index;
+ c.event = nlh->nlmsg_type;
+ c.seq = nlh->nlmsg_seq;
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Feb 17 04:49:08 2007
+From: "Jan Beulich" <jbeulich@novell.com>
+Date: Sat, 17 Feb 2007 13:33:31 +0100
+Subject: i386: Fix broken CONFIG_COMPAT_VDSO on i386
+To: stable@kernel.org
+Message-ID: <200702171333.31042.ak@suse.de>
+Content-Disposition: inline
+
+From: "Jan Beulich" <jbeulich@novell.com>
+
+After updating several machines to 2.6.20, I can't boot anymore the single
+one of them that supports the NX bit and is configured as a 32-bit system.
+
+My understanding is that the VDSO changes in 2.6.20-rc7 were not fully
+cooked, in that with that config option enabled VDSO_SYM(x) now equals
+x, meaning that an address in the fixmap area is now being passed to
+apps via AT_SYSINFO. However, the page is mapped with PAGE_READONLY
+rather than PAGE_READONLY_EXEC.
+
+I'm not certain whether having app code go through the fixmap area is
+intended, but in case it is here is the simple patch that makes things work
+again.
+
+Cc: Theodore Tso <tytso@mit.edu>
+Signed-off-by: Jan Beulich <jbeulich@novell.com>
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/kernel/sysenter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.20.1.orig/arch/i386/kernel/sysenter.c
++++ linux-2.6.20.1/arch/i386/kernel/sysenter.c
+@@ -77,7 +77,7 @@ int __init sysenter_setup(void)
+ syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
+
+ #ifdef CONFIG_COMPAT_VDSO
+- __set_fixmap(FIX_VDSO, __pa(syscall_page), PAGE_READONLY);
++ __set_fixmap(FIX_VDSO, __pa(syscall_page), PAGE_READONLY_EXEC);
+ printk("Compat vDSO mapped to %08lx.\n", __fix_to_virt(FIX_VDSO));
+ #endif
+
--- /dev/null
+From stable-bounces@linux.kernel.org Mon Feb 19 22:36:48 2007
+From: NeilBrown <neilb@suse.de>
+Date: Tue, 20 Feb 2007 17:34:47 +1100
+Subject: md: Fix raid10 recovery problem.
+To: Andrew Morton <akpm@linux-foundation.org>
+Cc: linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org, stable@kernel.org
+Message-ID: <1070220063447.16129@suse.de>
+
+From: NeilBrown <neilb@suse.de>
+
+There are two errors that can lead to recovery problems with raid10
+when used in 'far' more (not the default).
+
+Due to a '>' instead of '>=' the wrong block is located which would
+result in garbage being written to some random location, quite
+possible outside the range of the device, causing the newly
+reconstructed device to fail.
+
+The device size calculation had some rounding errors (it didn't round
+when it should) and so recovery would go a few blocks too far which
+would again cause a write to a random block address and probably
+a device error.
+
+The code for working with device sizes was fairly confused and spread
+out, so this has been tided up a bit.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/md/raid10.c | 38 ++++++++++++++++++++------------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+--- linux-2.6.20.1.orig/drivers/md/raid10.c
++++ linux-2.6.20.1/drivers/md/raid10.c
+@@ -429,7 +429,7 @@ static sector_t raid10_find_virt(conf_t
+ if (dev < 0)
+ dev += conf->raid_disks;
+ } else {
+- while (sector > conf->stride) {
++ while (sector >= conf->stride) {
+ sector -= conf->stride;
+ if (dev < conf->near_copies)
+ dev += conf->raid_disks - conf->near_copies;
+@@ -1801,6 +1801,7 @@ static sector_t sync_request(mddev_t *md
+ for (k=0; k<conf->copies; k++)
+ if (r10_bio->devs[k].devnum == i)
+ break;
++ BUG_ON(k == conf->copies);
+ bio = r10_bio->devs[1].bio;
+ bio->bi_next = biolist;
+ biolist = bio;
+@@ -2021,19 +2022,30 @@ static int run(mddev_t *mddev)
+ if (!conf->tmppage)
+ goto out_free_conf;
+
++ conf->mddev = mddev;
++ conf->raid_disks = mddev->raid_disks;
+ conf->near_copies = nc;
+ conf->far_copies = fc;
+ conf->copies = nc*fc;
+ conf->far_offset = fo;
+ conf->chunk_mask = (sector_t)(mddev->chunk_size>>9)-1;
+ conf->chunk_shift = ffz(~mddev->chunk_size) - 9;
++ size = mddev->size >> (conf->chunk_shift-1);
++ sector_div(size, fc);
++ size = size * conf->raid_disks;
++ sector_div(size, nc);
++ /* 'size' is now the number of chunks in the array */
++ /* calculate "used chunks per device" in 'stride' */
++ stride = size * conf->copies;
++ sector_div(stride, conf->raid_disks);
++ mddev->size = stride << (conf->chunk_shift-1);
++
+ if (fo)
+- conf->stride = 1 << conf->chunk_shift;
+- else {
+- stride = mddev->size >> (conf->chunk_shift-1);
++ stride = 1;
++ else
+ sector_div(stride, fc);
+- conf->stride = stride << conf->chunk_shift;
+- }
++ conf->stride = stride << conf->chunk_shift;
++
+ conf->r10bio_pool = mempool_create(NR_RAID10_BIOS, r10bio_pool_alloc,
+ r10bio_pool_free, conf);
+ if (!conf->r10bio_pool) {
+@@ -2063,8 +2075,6 @@ static int run(mddev_t *mddev)
+
+ disk->head_position = 0;
+ }
+- conf->raid_disks = mddev->raid_disks;
+- conf->mddev = mddev;
+ spin_lock_init(&conf->device_lock);
+ INIT_LIST_HEAD(&conf->retry_list);
+
+@@ -2106,16 +2116,8 @@ static int run(mddev_t *mddev)
+ /*
+ * Ok, everything is just fine now
+ */
+- if (conf->far_offset) {
+- size = mddev->size >> (conf->chunk_shift-1);
+- size *= conf->raid_disks;
+- size <<= conf->chunk_shift;
+- sector_div(size, conf->far_copies);
+- } else
+- size = conf->stride * conf->raid_disks;
+- sector_div(size, conf->near_copies);
+- mddev->array_size = size/2;
+- mddev->resync_max_sectors = size;
++ mddev->array_size = size << (conf->chunk_shift-1);
++ mddev->resync_max_sectors = size << conf->chunk_shift;
+
+ mddev->queue->unplug_fn = raid10_unplug;
+ mddev->queue->issue_flush_fn = raid10_issue_flush;
--- /dev/null
+From 600ff0c24bb71482e7f0da948a931d5c5d72838a Mon Sep 17 00:00:00 2001
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Tue, 13 Feb 2007 12:42:11 -0800
+Subject: [TCP]: Prevent pseudo garbage in SYN's advertized window
+Message-Id: <20070213.182131.102574822.davem@davemloft.net>
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+
+TCP may advertize up to 16-bits window in SYN packets (no window
+scaling allowed). At the same time, TCP may have rcv_wnd
+(32-bits) that does not fit to 16-bits without window scaling
+resulting in pseudo garbage into advertized window from the
+low-order bits of rcv_wnd. This can happen at least when
+mss <= (1<<wscale) (see tcp_select_initial_window). This patch
+fixes the handling of SYN advertized windows (compile tested
+only).
+
+In worst case (which is unlikely to occur though), the receiver
+advertized window could be just couple of bytes. I'm not sure
+that such situation would be handled very well at all by the
+receiver!? Fortunately, the situation normalizes after the
+first non-SYN ACK is received because it has the correct,
+scaled window.
+
+Alternatively, tcp_select_initial_window could be changed to
+prevent too large rcv_wnd in the first place.
+
+[ tcp_make_synack() has the same bug, and I've added a fix for
+ that to this patch -DaveM ]
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv4/tcp_output.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.20.1.orig/net/ipv4/tcp_output.c
++++ linux-2.6.20.1/net/ipv4/tcp_output.c
+@@ -481,7 +481,7 @@ static int tcp_transmit_skb(struct sock
+ /* RFC1323: The window in SYN & SYN/ACK segments
+ * is never scaled.
+ */
+- th->window = htons(tp->rcv_wnd);
++ th->window = htons(min(tp->rcv_wnd, 65535U));
+ } else {
+ th->window = htons(tcp_select_window(sk));
+ }
+@@ -2160,7 +2160,7 @@ struct sk_buff * tcp_make_synack(struct
+ }
+
+ /* RFC1323: The window in SYN & SYN/ACK segments is never scaled. */
+- th->window = htons(req->rcv_wnd);
++ th->window = htons(min(req->rcv_wnd, 65535U));
+
+ TCP_SKB_CB(skb)->when = tcp_time_stamp;
+ tcp_syn_build_options((__be32 *)(th + 1), dst_metric(dst, RTAX_ADVMSS), ireq->tstamp_ok,
avoid-using-nfsd-process-pools-on-smp-machines.patch
fix-recently-introduced-problem-with-shutting-down-a-busy-nfs-server.patch
uhci-fix-port-resume-problem.patch
+fix-bug-7994-sleeping-function-called-from-invalid-context-at-mm-slab.c-3034.patch
+fix-atmarp.h-for-userspace.patch
+clear-tcp-segmentation-offload-state-in-ipt_reject.patch
+fix-ipx-module-unload.patch
+prevent-pseudo-garbage-in-syn-s-advertized-window.patch
+fix-oops-in-xfrm_audit_log.patch
+sky2-pause-flush.patch
+sky2-tx-timeout-deadlock.patch
+x86_64-fix-wrong-gcc-check-in-bitops.h.patch
+x86-don-t-require-the-vdso-for-handling-a.out-signals.patch
+i386-fix-broken-config_compat_vdso-on-i386.patch
+bcm43xx-fix-for-4309.patch
+md-fix-raid10-recovery-problem.patch
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Feb 16 15:00:49 2007
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+Date: Fri, 16 Feb 2007 14:56:10 -0800
+Subject: sky2: dont flush good pause frames
+To: stable@kernel.org
+Message-ID: <20070216225836.148603000@linux-foundation.org>
+Content-Disposition: inline; filename=sky2-pause-flush.patch
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+Don't mark pause frames as errors. This problem caused transmitter not
+to pause and would effectively take out a gigabit switch because the
+it can't handle overrun.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/sky2.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.20.1.orig/drivers/net/sky2.h
++++ linux-2.6.20.1/drivers/net/sky2.h
+@@ -1579,7 +1579,7 @@ enum {
+
+ GMR_FS_ANY_ERR = GMR_FS_RX_FF_OV | GMR_FS_CRC_ERR |
+ GMR_FS_FRAGMENT | GMR_FS_LONG_ERR |
+- GMR_FS_MII_ERR | GMR_FS_GOOD_FC | GMR_FS_BAD_FC |
++ GMR_FS_MII_ERR | GMR_FS_BAD_FC |
+ GMR_FS_UN_SIZE | GMR_FS_JABBER,
+ };
+
--- /dev/null
+From stable-bounces@linux.kernel.org Fri Feb 16 15:00:49 2007
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+Date: Fri, 16 Feb 2007 14:56:11 -0800
+Subject: sky2: transmit timeout deadlock
+To: stable@kernel.org
+Message-ID: <20070216225836.237453000@linux-foundation.org>
+Content-Disposition: inline; filename=sky2-tx-timeout-deadlock.patch
+
+From: Stephen Hemminger <shemminger@linux-foundation.org>
+
+The code in transmit timeout incorrectly assumed that netif_tx_lock
+was not set.
+
+Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/sky2.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- linux-2.6.20.1.orig/drivers/net/sky2.c
++++ linux-2.6.20.1/drivers/net/sky2.c
+@@ -1796,6 +1796,7 @@ out:
+
+ /* Transmit timeout is only called if we are running, carries is up
+ * and tx queue is full (stopped).
++ * Called with netif_tx_lock held.
+ */
+ static void sky2_tx_timeout(struct net_device *dev)
+ {
+@@ -1821,17 +1822,14 @@ static void sky2_tx_timeout(struct net_d
+ sky2_write8(hw, STAT_TX_TIMER_CTRL, TIM_START);
+ } else if (report != sky2->tx_cons) {
+ printk(KERN_INFO PFX "status report lost?\n");
+-
+- netif_tx_lock_bh(dev);
+ sky2_tx_complete(sky2, report);
+- netif_tx_unlock_bh(dev);
+ } else {
+ printk(KERN_INFO PFX "hardware hung? flushing\n");
+
+ sky2_write32(hw, Q_ADDR(txq, Q_CSR), BMU_STOP);
+ sky2_write32(hw, Y2_QADDR(txq, PREF_UNIT_CTRL), PREF_UNIT_RST_SET);
+
+- sky2_tx_clean(dev);
++ sky2_tx_complete(sky2, sky2->tx_prod);
+
+ sky2_qset(hw, txq);
+ sky2_prefetch_init(hw, txq, sky2->tx_le_map, TX_RING_SIZE - 1);
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Feb 17 04:48:52 2007
+From: Andi Kleen <ak@suse.de>
+Date: Sat, 17 Feb 2007 13:33:00 +0100
+Subject: x86: Don't require the vDSO for handling a.out signals
+To: stable@kernel.org
+Message-ID: <200702171333.00846.ak@suse.de>
+Content-Disposition: inline
+
+From: Andi Kleen <ak@suse.de>
+
+x86: Don't require the vDSO for handling a.out signals
+
+and in other strange binfmts. vDSO is not necessarily mapped there.
+
+This fixes signals in a.out programs
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/i386/kernel/signal.c | 6 +++++-
+ arch/x86_64/ia32/ia32_signal.c | 7 ++++++-
+ fs/binfmt_elf.c | 3 ++-
+ include/linux/binfmts.h | 1 +
+ 4 files changed, 14 insertions(+), 3 deletions(-)
+
+--- linux-2.6.20.1.orig/arch/i386/kernel/signal.c
++++ linux-2.6.20.1/arch/i386/kernel/signal.c
+@@ -21,6 +21,7 @@
+ #include <linux/suspend.h>
+ #include <linux/ptrace.h>
+ #include <linux/elf.h>
++#include <linux/binfmts.h>
+ #include <asm/processor.h>
+ #include <asm/ucontext.h>
+ #include <asm/uaccess.h>
+@@ -349,7 +350,10 @@ static int setup_frame(int sig, struct k
+ goto give_sigsegv;
+ }
+
+- restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
++ if (current->binfmt->hasvdso)
++ restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
++ else
++ restorer = (void *)&frame->retcode;
+ if (ka->sa.sa_flags & SA_RESTORER)
+ restorer = ka->sa.sa_restorer;
+
+--- linux-2.6.20.1.orig/arch/x86_64/ia32/ia32_signal.c
++++ linux-2.6.20.1/arch/x86_64/ia32/ia32_signal.c
+@@ -21,6 +21,7 @@
+ #include <linux/stddef.h>
+ #include <linux/personality.h>
+ #include <linux/compat.h>
++#include <linux/binfmts.h>
+ #include <asm/ucontext.h>
+ #include <asm/uaccess.h>
+ #include <asm/i387.h>
+@@ -449,7 +450,11 @@ int ia32_setup_frame(int sig, struct k_s
+
+ /* Return stub is in 32bit vsyscall page */
+ {
+- void __user *restorer = VSYSCALL32_SIGRETURN;
++ void __user *restorer;
++ if (current->binfmt->hasvdso)
++ restorer = VSYSCALL32_SIGRETURN;
++ else
++ restorer = (void *)&frame->retcode;
+ if (ka->sa.sa_flags & SA_RESTORER)
+ restorer = ka->sa.sa_restorer;
+ err |= __put_user(ptr_to_compat(restorer), &frame->pretcode);
+--- linux-2.6.20.1.orig/fs/binfmt_elf.c
++++ linux-2.6.20.1/fs/binfmt_elf.c
+@@ -76,7 +76,8 @@ static struct linux_binfmt elf_format =
+ .load_binary = load_elf_binary,
+ .load_shlib = load_elf_library,
+ .core_dump = elf_core_dump,
+- .min_coredump = ELF_EXEC_PAGESIZE
++ .min_coredump = ELF_EXEC_PAGESIZE,
++ .hasvdso = 1
+ };
+
+ #define BAD_ADDR(x) ((unsigned long)(x) >= TASK_SIZE)
+--- linux-2.6.20.1.orig/include/linux/binfmts.h
++++ linux-2.6.20.1/include/linux/binfmts.h
+@@ -59,6 +59,7 @@ struct linux_binfmt {
+ int (*load_shlib)(struct file *);
+ int (*core_dump)(long signr, struct pt_regs * regs, struct file * file);
+ unsigned long min_coredump; /* minimal dump size */
++ int hasvdso;
+ };
+
+ extern int register_binfmt(struct linux_binfmt *);
--- /dev/null
+From stable-bounces@linux.kernel.org Sat Feb 17 04:48:52 2007
+From: Andi Kleen <ak@suse.de>
+Date: Sat, 17 Feb 2007 13:35:00 +0100
+Subject: x86_64: Fix wrong gcc check in bitops.h
+To: stable@kernel.org
+Message-ID: <200702171335.00583.ak@suse.de>
+Content-Disposition: inline
+
+
+
+gcc 5.0 will likely not have the constraint problem
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ include/asm-x86_64/bitops.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-2.6.20.1.orig/include/asm-x86_64/bitops.h
++++ linux-2.6.20.1/include/asm-x86_64/bitops.h
+@@ -7,7 +7,7 @@
+
+ #include <asm/alternative.h>
+
+-#if __GNUC__ < 4 || __GNUC_MINOR__ < 1
++#if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 1)
+ /* Technically wrong, but this avoids compilation errors on some gcc
+ versions. */
+ #define ADDR "=m" (*(volatile long *) addr)
projects / thirdparty / kernel / stable-queue.git / commitdiff
